1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-01-20 18:52:16 +00:00

rebase with master

This commit is contained in:
shivkumar dudhani 2019-07-19 20:39:31 -07:00
parent 99782e4d95
commit 15918ec0d8
20 changed files with 324 additions and 41 deletions

View file

@ -184,7 +184,7 @@ spec:
containers:
- name: kyverno
image: nirmata/kyverno:latest
args: ["--filterKind","Nodes,Events,APIService,SubjectAccessReview"]
args: ["--filterKind","Node,Event,APIService,Policy,TokenReview,SubjectAccessReview"]
ports:
- containerPort: 443
securityContext:

View file

@ -0,0 +1,21 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
cli: test
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:latest
# imagePullPolicy: IfNotPresent

View file

@ -0,0 +1,26 @@
apiVersion : kyverno.io/v1alpha1
kind: Policy
metadata:
name: image-pull-policy
spec:
rules:
- name: image-pull-policy
resource:
kinds:
- Deployment
# - StatefulSet
# name: "my-deployment"
# selector :
# matchLabels:
# app.type: prod
# namespace: "my-namespace"
mutate:
overlay:
spec:
template:
spec:
containers:
# select images which end with :latest
- (image): "*latest"
# require that the imagePullPolicy is "IfNotPresent"
imagePullPolicy: IfNotPresent

View file

@ -0,0 +1,21 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
cli: test
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
# image: nginx
image: nirmata/nginx

View file

@ -0,0 +1,22 @@
apiVersion : kyverno.io/v1alpha1
kind: Policy
metadata:
name: check-registries
spec:
rules:
- name: check-registries
resource:
kinds:
- Deployment
- StatefulSet
namespace: default
validate:
message: "Registry is not allowed"
pattern:
spec:
template:
spec:
containers:
- name: "*"
# Check allowed registries
image: "*nirmata* | https://private.registry.io/*"

View file

@ -8,7 +8,7 @@ spec:
resource:
kinds:
- Namespace
name: "*"
name: "devtest"
generate:
kind: NetworkPolicy
name: deny-ingress-traffic
@ -23,3 +23,8 @@ spec:
annotations: {}
labels:
policyname: "default"
# kind: ConfigMap
# name: default-config
# clone:
# namespace: default
# name: config-template

View file

@ -0,0 +1,21 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: psp-demo-unprivileged
labels:
app.type: prod
spec:
replicas: 1
selector:
matchLabels:
app: psp
template:
metadata:
labels:
app: psp
spec:
securityContext:
runAsNonRoot: true
containers:
- name: sec-ctx-unprivileged
image: nginxinc/nginx-unprivileged

View file

@ -0,0 +1,21 @@
apiVersion : kyverno.io/v1alpha1
kind: Policy
metadata:
name: policy-security-context
spec:
rules:
- name: validate-runAsNonRoot
resource:
kinds:
- Deployment
selector :
matchLabels:
app.type: prod
validate:
message: "security context 'runAsNonRoot' shoud be set to true"
pattern:
spec:
template:
spec:
securityContext:
runAsNonRoot: true

View file

@ -0,0 +1,32 @@
apiVersion: v1
kind: Pod
metadata:
labels:
test: probe
name: probe
spec:
containers:
- name: readiness
image: k8s.gcr.io/busybox
args:
- /bin/sh
- -c
- touch /tmp/healthy; sleep 30; rm -rf /tmp/healthy; sleep 600
readinessProbe:
# successThreshold: 3
exec:
command:
- cat
- /tmp/healthy
- name: liveness
image: k8s.gcr.io/liveness
args:
- /server
livenessProbe:
httpGet:
path: /healthz
port: 8080
httpHeaders:
- name: Custom-Header
value: Awesome
periodSeconds: 3

View file

@ -0,0 +1,33 @@
apiVersion : kyverno.io/v1alpha1
kind : Policy
metadata :
name: check-probe-exists
spec:
rules:
- name: check-readinessProbe-exists
resource:
kinds :
- Pod
validate:
message: "readinessProbe is required"
pattern:
spec:
containers:
- (name): "readiness"
readinessProbe:
successThreshold: ">1"
- name: check-livenessProbe-exists
resource:
kinds :
- Pod
validate:
message: "livenessProbe is required"
pattern:
spec:
containers:
- (name): "liveness"
livenessProbe:
httpGet:
path: "?*"
port: "*"
scheme: "?*"

View file

@ -0,0 +1,22 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: psp-demo-unprivileged
labels:
app.type: prod
spec:
replicas: 1
selector:
matchLabels:
app: psp
template:
metadata:
labels:
app: psp
spec:
containers:
- name: sec-ctx-unprivileged
image: nginxinc/nginx-unprivileged
securityContext:
runAsNonRoot: true
allowPrivilegeEscalation: true

View file

@ -0,0 +1,26 @@
apiVersion : kyverno.io/v1alpha1
kind: Policy
metadata:
name: container-security-context
spec:
rules:
- name: validate-user-privilege
resource:
kinds:
- Deployment
selector :
matchLabels:
app.type: prod
validate:
message: "validate container security contexts"
pattern:
spec:
template:
spec:
containers:
- securityContext:
runAsNonRoot: true
allowPrivilegeEscalation: false
# fields can be customized
# privileged: false
# readOnlyRootFilesystem: true

View file

@ -1,13 +0,0 @@
apiVersion: v1
kind: Endpoints
metadata:
name: demo-endpoint
labels:
label : test
subsets:
- addresses:
- ip: 192.168.10.171
ports:
- name: secure-connection
port: 443
protocol: TCP

View file

@ -1,24 +0,0 @@
apiVersion : kyverno.io/v1alpha1
kind : Policy
metadata :
name : policy-endpoints
spec :
rules:
- name: demo-ep
resource:
kinds :
- Endpoints
selector:
matchLabels:
label : test
name: demo-endpoint
mutate:
patches:
# add a new label
- path: /metadata/labels/app.type
op: add
value: dev
# replace port
- path : /subsets/0/ports/0/port
op : replace
value: 9663

70
pkg/engine/overlay_new.go Executable file
View file

@ -0,0 +1,70 @@
package engine
import (
"reflect"
)
// func processoverlay(rule kubepolicy.Rule, rawResource []byte, gvk metav1.GroupVersionKind) ([][]byte, error) {
// var resource interface{}
// var appliedPatches [][]byte
// err := json.Unmarshal(rawResource, &resource)
// if err != nil {
// return nil, err
// }
// patches, err := mutateResourceWithOverlay(resource, *rule.Mutation.Overlay)
// if err != nil {
// return nil, err
// }
// appliedPatches = append(appliedPatches, patches...)
// return appliedPatches, err
// }
func applyoverlay(resource, overlay interface{}, path string) ([][]byte, error) {
var appliedPatches [][]byte
// resource item exists but has different type - replace
// all subtree within this path by overlay
if reflect.TypeOf(resource) != reflect.TypeOf(overlay) {
patch, err := replaceSubtree(overlay, path)
if err != nil {
return nil, err
}
appliedPatches = append(appliedPatches, patch)
}
return applyOverlayForSameTypes(resource, overlay, path)
}
func checkConditions(resource, overlay interface{}, path string) bool {
switch typedOverlay := overlay.(type) {
case map[string]interface{}:
typedResource := resource.(map[string]interface{})
if !checkConditionOnMap(typedResource, typedOverlay) {
return false
}
case []interface{}:
typedResource := resource.([]interface{})
if !checkConditionOnArray(typedResource, typedOverlay) {
return false
}
case string, float64, int64, bool:
default:
return false
}
return true
}
func checkConditionOnMap(resourceMap, overlayMap map[string]interface{}) bool {
// _ := getAnchorsFromMap(overlayMap)
return false
}
func checkConditionOnArray(resource, overlay []interface{}) bool {
return false
}